\documentclass[a4paper,12pt]{article}

\usepackage[utf8]{inputenc}
\usepackage[T1]{fontenc}
\usepackage[margin=1in]{geometry}
\usepackage{amssymb}
\usepackage{amsmath}
\usepackage{enumitem}
\usepackage{csquotes}
\usepackage[colorlinks=true, citecolor=black, filecolor=black, linkcolor=black, urlcolor=black]{hyperref}

\title{Applied Cryptography -- Assignment 1}
\author{Dennis Gabeler (s1085830)\\Tobias Eidelpes (s1090746)}
\date{March 2, 2022}

\begin{document}

\maketitle

\section*{Exercise 1}
\begin{enumerate}[label=(\alph*)]
    \item Consider a setting in which an adversary $\mathcal{A}$ calls upon a second adversary $\mathcal{B}$. If $\mathcal{A}$ wants to sign a message, it asks $\mathcal{B}$ who will in turn ask its oracle for a tag. $\mathcal{B}$ will keep track of all the queries made from $\mathcal{A}$. $\mathcal{B}$ will then pass the response from its oracle on to $\mathcal{A}$. If $\mathcal{A}$ makes a verification query, $\mathcal{B}$ checks if the given tag matches the message by querying its own oracle. If the tag matches and $\mathcal{A}$ has not made a signing query to $\mathcal{B}$ containing the message, $\mathcal{B}$ will return 1. Otherwise it returns 0. With this setting in mind, the first term of the unforgeability bound for $\mathsf{MAC}$ is a probabilistic event where the chance that $\mathcal{A}$ creates a forgery is dependent on the amount of verification queries $q_v$. The second term constitutes the security of the underlying pseudorandom function. If the pseudorandom function is \enquote{broken}, the attacker will gain a significant advantage when mounting a forgery attack.
    
    \item $ \text{Adv}^{\text{prf}}_{\text{MAC}}(\mathcal{A}) = \text{Pr}\Big(\mathcal{A}^{MAC_K} = 1\Big) - \text{Pr}\Big(\mathcal{A^{RO}} = 1\Big)$\\
    It is obvious and given that the output of $\text{MAC}_K(M)$ has an equal left and right half, thus $\text{Pr}\Big(\mathcal{A}^{MAC_K} = 1\Big)$ = 1.\\
    The probability that $\mathcal{RO}$ has an equal left and right part is $2^{-\frac{n}{2}}$, because half of the bits have to match, thus $\text{Pr}\Big(\mathcal{A^{RO}} = 1\Big) = 2^{-\frac{n}{2}}$\\
    The advantage becomes  $ \text{Adv}^{\text{prf}}_{\text{MAC}}(\mathcal{A}) = 1 - 2^{-\frac{n}{2}}$
\end{enumerate}

\section*{Exercise 2}
\begin{enumerate}[label=(\alph*)]
    \item $\text{Pr}_K(H_L (M) \oplus H_L (M') = T ) \leq 2^{-n}$\\
    If we extend $H_L$ we get $\text{Pr}_K(L \otimes M \oplus L \otimes M' = T ) \leq 2^{-n}$\\
    $= \text{Pr}_K((M \oplus M') \otimes L = T ) \leq 2^{-n}$\\
    The security still depends on the L of size n, thus it holds that it is $2^{-n}$-XOR-universal
    
    \item $M_1 = 0$\\
    $T_1 = \text{MAC}_K(M_1) = (0 \otimes L) \oplus F_K(N) = F_K(N)$\\
    $M_2 = 1$\\
    $T_2 = \text{MAC}_K(M_2) = (1 \otimes L) \oplus F_K(N) = F_K(N) \oplus L$\\
    $L = T_1 \oplus T_2$\\
    Using these steps we now posses the hash-key $L$ and the permutation $F_K(N)$. Since the attacker can re-use the nonce $N$, we can create our own tags using the same data:\\
    $M_3; \ T_3 = \text{MAC}_K(M_3) = (M_3 \otimes L) \oplus F_K(N)$\\
    Lastly: $\text{VFY}_K(M_3, T_3) = \top$
\end{enumerate}

\section*{Exercise 3}
\begin{enumerate}[label=(\alph*)]
    \item The interface of $E^{-1}$ takes as input cipher text $C$ and tag $T$. It first validates if $T$ is correct. This is typically implemented using a MAC-function, which depends on either the plain text or ciphertext (depends on implementation approach). If it is incorrect it will only output $\bot$ and nothing else to prevent leakage of data. If is correct it outputs $\top$ together with the plaintext, $M$.
    
    \item $\Delta_{\mathcal{D}}(\text{AE}_K,\text{AE}^{-1}_K\ ;\ \$, \bot) \leq \Delta_{\mathcal{D}}(\text{AE}[p],\text{AE}[p]^{-1}\ ;\ \$, \bot) + 
    \Delta_{\mathcal{D}}(\text{E}_K,\text{E}^{-1}_K\ ;\ \mathcal{P}, \mathcal{P}^{-1})$\\\\
    The distinguishing advantage of the AE construction using our E primitive is less than or equal to the advantage construction using the ideal random permutation, plus the advantage of our primitive.
    
    \item According to the scheme, the nonce and key are concatenated and used as input to the block cipher. The output is split to create the ciphertext and the tag, but in reality they are both pieces of the ciphertext. In the real-world Authenticated Encryption scheme, the attacker can re-use the nonce and the message, thus recreating the same tag. In the ideal version of Authenticated Encryption the nonce is always random, so the same message will result in a different tag.\\\\
    $\Delta_{\mathcal{D}}(\text{AE}[p],\bot\ ;\ \$, \bot) = |\text{Pr}\Big(\mathcal{A}^{AE} = 1\Big) - \text{Pr}\Big(\mathcal{A^{RO}} = 1\Big)|$
    
    $\Delta_{\mathcal{D}}(\text{AE}[p],\bot\ ;\ \$, \bot) = |1 - q_m2^{-128}|$
\end{enumerate}

\section*{Exercise 4}

An attacker is able to choose the tag $T$ for both online evaluations of $\widetilde{E}_K$ and offline evaluations of $E$. Furthermore, if the tag $T$ is always chosen to be the same for two evaluations of $\widetilde{E}_K$ and $E$, the difference in the ciphertexts is the key: $C_1\oplus C_2 = K$. After $2^{k/2}$ evaluations of the block cipher and the primitive, the chance that an attacker obtains the correct key $K$ by XORing the ciphertexts is high.

\[ \widetilde{E}_K(M, 0^k\oplus K) = C_1 \]
\[ E(M, 0^k) = C_2 \]
\[ K = C_1\oplus C_2 \]

\section*{Exercise 5}

\begin{enumerate}[label=(\alph*)]
    \item Polynomial associated with \enquote{2}:
    \[ X \]
    Polynomial associated with \enquote{3}:
    \[ X + 1 \]
    Polynomial associated with \enquote{7}:
    \[ X^2 + X + 1 \]
    
    \item
    \[ X^3\cdot (X^4+X^2+1) = X^7+X^5+X^3 = 10101000 \]
    \[ (X^4+X^3)\cdot (X^4+X^2+1) = X^8+X^7+X^6+X^5+X^4+X^3 = 000111111000 \]
    
    \item
    \[ X\cdot X^{127} \pmod{X^{128}+X^7+X^2+X+1} = X^{128} \]
    
    \item $\mathsf{XEX}_K$ does not use $2,3,5$ as masks, because $3^2 = 5$ in the group $\mathbb{F}^*_{2^n}$: 
    \[ 3^2 = (X+1)^2 = X^2 + 1 = 5. \]
\end{enumerate}

\section*{Exercise 6}
\begin{enumerate}[label=(\alph*)]
    \item 
    
    \item The attack to distinguish this scheme is as follows:\\
    $F_K(M_1) = \widetilde{E}_K(1, M_1) = T_1$\\
    $F_K(M_1||T_1) = \widetilde{E}_K(2, \widetilde{E}_K(1, M_1) \oplus \widetilde{E}_K(1, M_1)) =  \widetilde{E}_K(2, 0) = T_2$\\
    
    $F_K(M'_1) = \widetilde{E}_K(1, M'_1) = T'_1$\\
    $F_K(M'_1||T_1) = \widetilde{E}_K(2, \widetilde{E}_K(1, M'_1) \oplus \widetilde{E}_K(1, M'_1)) =  \widetilde{E}_K(2, 0) = T'_2$\\
    
    For this PRF construction, $T_2 = T'_2$\\
    This means it is easy to create a forgery by reusing the tag. From one query.
    
\end{enumerate}

\end{document}